LinkedIn to face £3m lawsuit over password breach

Following up on the news last week that LinkedIn had suffered a major security breach in which huge numbers of user account passwords were put at risk (previously discussed), there is news today that a Chicago resident has filed a class action lawsuit against the company seeking US$5,000,000 in damages.

Paragraph three of the complaint states that through its privacy policy, LinkedIn promises that all information that [they] provide [to LinkedIn] will be protected with industry standards, protocols and technology. In direct contradiction to this promise, LinkedIn failed to comply with basic industry standards by maintaining millions of users’ personal information in its servers’ databases in a weak encryption format, and without implementing other crucial security measures.

Without wishing to comment on the legal merits of this suit, the publicly available information implies that LinkedIn did indeed fail to implement good practice measures with regards to protecting user accounts – the password hashes were poor practice in 2002 and it would certainly be bad practice to no update your security for over 10 years.

Understandably, LinkedIn is reluctant to comment, other than to say:

We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behaviour.

This is a reasonable approach, and given the legal might LinkedIn is likely to be able to wield here, it is likely that they will be successful in their defence, although they may end up in an expensive trial and will suffer a lot of adverse publicity.

However, this misses what is probably the most important point – all of this could have been avoided by properly investing in security. As always, the painful less from this is that yet another company (and a “techy” one which really should have known better), has tried to save money, and increase profits, by putting its prize assets at risk.

Even if the lawsuit is unsuccessful, it is likely to cost LinkedIn significantly more than the £50 – 60k they have saved over the last ten years cutting back in their security.

This is an important lesson for every organisation to take on board. It may seem like a good move to make your security function reduce its budgets, but you will never, ever, save enough to cover the costs of one major breach.

Taking risks is part of business, but when it comes to security of critical assets, these risks should be properly managed and assessed as part of your risk management function. If you are going to gamble, make sure you are properly investing the money saved to cover the inevitable consequences. Anything else is simply bad business.